On October 1, state-operated Health Insurance Exchanges are beginning operations under the Affordable Care Act (better known as Obamacare). These exchanges, which help all consumers buy deeply subsidized health insurance, will start registering patients with a January 1 start date for coverage. But due to a combination of poor branding by state governments, political opposition to the program, and simple savvy on the part of criminals, fake Affordable Care Act sites are expected to start popping up soon.

Security firm Trend Micro is tracking the fake sites, which either steer users toward more expensive and less comprehensive coverage, or simply steal users’ credit card and Social Security information. “The root problem is that the Health Insurance Exchange isn’t made up of a single, authoritative site where people can go and register for coverage. In addition to the Federal site, people can apply for coverage at sites run by individual states. Then, within each state, there can also be legitimate third-party sites that provide assistance and even broker coverage,” Trend Micro’s Christopher Budd says.

Official Health Insurance Exchange sites aren’t required to verify their identity with SSL (although the main Federal site offers it). State-operated sites have no consistent branding or labeling; some states, such as Missouri, give deeply confusing information to potential customers. “As people look for health care exchanges, they’re going to be faced with potentially hundreds or thousands of sites that claim to be legitimate but won’t be able to easily verify that claim,” Budd added.